LDAP-UserDN is not unique per ldap module instance (auth problem when multiple ldap module instances used)
Kostas Zorbadelos
kzorba at otenet.gr
Fri Sep 14 14:04:38 CEST 2018
Hello all,
in my current authentication policy, I use 2 instances of the LDAP
module. The first instance queries the directory in a specific branch
and gets information used in later checks.
The other instance is used to authorize the user (and also authenticate
him in some rare situations) and queries another branch.
The problem is that when the second LDAP module is used for the
authentication, it tries to bind with an LDAP-UserDN attribute obtained
from the first module. I need to rewrite control:LDAP-UserDN for this to
work. Tracing a bit the source, I saw that LDAP-UserDN is set with the
'=' operator:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_ldap/ldap.c#L1216
Is this by design? I would expect each module instance to have its own
LDAP-UserDN and use that when used in authentication. Am I missing
something, or is this something worth of raising a github issue?
Regards,
Kostas
--
Kostas Zorbadelos http://gr.linkedin.com/in/kzorba
More information about the Freeradius-Users
mailing list